Apple Vulnerability Project Launches with QuickTime Exploit

An easy-to-exploit security vulnerability in Apple Computer's QuickTime media player could put millions of Macintosh and Windows users at risk of code execution attacks. The QuickTime flaw kicked off the Month of Apple Bugs project, which promises to expose unpatched Mac OS X and Apple application vulnerabilities on a daily basis throughout the month of January.

According to an advisory released Jan. 1, the flaw exists in the way QuickTime handles a specially rigged "rtsp://" URL. "By supplying a specially crafted string, [an] attacker could overflow a stack-based buffer, using either HTML, Javascript or a QTL file as attack vector, leading to an exploitable remote arbitrary code execution condition," said LMH, one of the mysterious hackers behind the controversial project. He described exploitation of the issue as "trivial" and warned that stack NX can also be rendered useless.

View: The full story
News source: eWeek

Report a problem with article
Previous Story

Asustek to showcase notebook audio-visual workstation at CES

Next Story

How to crash a Windows mobile using MMS

23 Comments

Commenting is disabled on this article.

More to the point, it affects Apple, and this is the "Month of Apple Bugs".

Of course, if you look at the latest bug found, its for VLC, which is a third-party, cross-platform application. So I have a strong feeling those behind MOAB are, while doing a good thing in finding bugs, reaching a bit to make their project successful. That's ignoring the possibility that they may or may not be giving the third-party developers reasonable disclosure beforehand.

They were so good at finding OSX bugs that they had to start with something that is quicktime based and not really OSX based.

Seems like an attention whore... Couldn't he report the bugs to Apple, instead of just spreading it around?
At the very least, he could've reported it to Apple, and only later spread it around.

This is stupid, just like the people spreading Windows exploits without telling Microsoft.

I bet the hardcore mac fanboys, the ones that laughed when this was done to windows a few months back, deny this all, attack the authors and do the internet equivalent of sticking your fingers in your ears, dancing up and down while shouting various expletives.

I just think that he is doing a great job... It just make OS and other programs even more safer, so we can't say that he is the bad guy...

Ummm... He is the "bad guy".

He is publicly releasing this information without prior notification to the responsible parties (in this case, Apple) of the products. He has gathered up this stuff and kept it to himself so he can release one a day in some self-serving attention-whore fashion.

He is putting everyday users at risk to get his publicity.

So, yes. Bad guy.

He is publicly releasing this information without prior notification to the responsible parties

You don't know all the long-term background.

For example as far as I know when MS or Apple are notified of vulnerability (even with proof-of-concept code!!!) the do this:
MS: says "we haven't seen any malware using this hole IN THE WILD!!!" (and don't fix it for years sometimes)
Apple: remains silent. When asked, says there's no vulnerability. Silently releases patch, denying there ever was vulnerability.

So to show them to the world and make them do something with this bad practice they need a public punch like this.

This is going to be an exciting month!! I can't wait for all of these NASTY OSX BUGS to be discovered so that it can be made more secure!!

Maybe some ppl will take notice.... their baby isn't as clean as they thought it was!